Creating a Software Inventory for Your Small Business
Creating a software inventory might sound like a tedious chore—but in reality, it’s one of the most high-impact, low-effort cybersecurity actions a small business can take.
A good software inventory helps you:
- Identify outdated, unused, or risky software
- Spot missing updates and patches
- Know what tools are in use, by whom, and for what
- Prove software license compliance
- Adhere to cybersecurity and compliance frameworks (CIS 18, NIST, HIPAA etc.)
🔍 What to Include in Your Software Inventory
Start by recording all software actively installed on business-owned devices. This includes:
- Operating systems (Windows, macOS)
- Productivity tools (Microsoft Office, Google Drive apps, Adobe products)
- Browsers (Chrome, Firefox, Edge, etc.)
- Security tools (antivirus, EDR, VPNs)
- Business applications (QuickBooks, Slack, CRM tools)
- Utilities and drivers (printer software, remote support tools)
- Background or auto-installed software (Java, Python, update agents, etc.)
💡 Tip: Focus on company devices first. You can also expand to personally-owned devices used for work, if they play a major role in business operations.
🛠 How to Find Installed Software
The easiest way is to check software directly on each device:
- Windows:
Open Control Panel → Programs and Features or Settings → Apps to view installed software. - macOS:
Use Finder → Applications, or open System Settings → General → Storage → Applications.
Also check your browser extensions and any SaaS apps your team relies on—even if nothing is technically “installed.” If you use cloud platforms like Microsoft 365 or Google Workspace, take note of them.
💡 Advanced Tip: Use automated tools like PowerShell scripts, RMM agents, or third-party software asset management tools for faster, scalable inventorying—especially helpful once your business has more than a few devices.
🧾 What Should I Record in the Software Inventory?
We recommend starting with the following columns:
- Software Name
- Version
- Publisher
- Device(s) Installed On
- Install Date
- License Required (Yes/No)
These fields help build a clear picture of your software environment. You can optionally track:
- License key and expiration
- Last used date
- Source (how/where it was installed)
- Automatic updates setting
- Security risk rating (if known)
Start simple—you can always build on it later.
🔁 Keep It Updated
As with a hardware inventory, a software inventory isn’t just a “one and done” activity. Schedule a quick quarterly review:
- Are there new apps?
- Are old or unused ones still hanging around?
- Has anything fallen out of date or out of compliance?
Automated tools or even a recurring checklist can make this easy to manage over time.
Later in the course, we will learn about a topic called the Principle of Least Privilege. It sounds complex but one of the most important things is not allowing just any user to install or manage software. Administrative activities like installing, removing, or managing software should only be performed using an account for that purpose. The simplest example would be to only allow the Administrator account on a computer to perform these types of activities. In addition to improving security, following the Principle of Least Privilege also makes software easier to manage. You’ll know that users aren’t installing or removing applications or doing other risky things with software, because they just aren’t allowed to.
Even single-person small businesses without employees can benefit from both the security and management benefits of following the Principle of Least Privilege! However, you don’t need to deploy it right away. We’ve structured this course in the most logical way. Once you’ve completed both a hardware and software inventory, you’ll be much better equipped to take the next steps toward enterprise-grade cybersecurity for your small business.
Software Inventory Field Descriptions
The following descriptions for the inventory fields may be of use:
Recommended Minimum Fields
| Column | Description |
|---|---|
| Software Name | The name of the application or program (e.g., Microsoft Word, Chrome, QuickBooks). |
| Version | The version number installed (e.g., 23.4.1). Important for checking if software is up to date or vulnerable. |
| Publisher / Vendor | The developer or company behind the software (e.g., Microsoft, Google, Adobe). |
| Device(s) Installed On | The name(s) of the device(s) where the software is installed. Helps track usage and license distribution. |
| Install Date | When the software was installed. Useful for auditing and lifecycle management. |
| License Required | Whether the software needs a license to use legally (Yes/No). |
Optional Fields You May Want to Track
| Column | Description |
|---|---|
| License Key / Info | License key or reference to where license information is stored. Helps prove compliance. |
| License Expiration Date | When the license expires (if applicable). Important for renewals and avoiding service disruptions. |
| Cost / Pricing Plan | The purchase cost or subscription details (e.g., Free, $9.99/month). |
| Last Used Date | The most recent time the software was opened or used. Useful for identifying unused or unnecessary software. |
| Source / Installation Method | Where the software came from (e.g., Company Portal, Downloaded from vendor, Microsoft Store). |
| Purpose / Function | A short note about what the software is used for (e.g., “Accounting”, “Email”, “Design”). |
| Cloud-Based? | Whether the software is a cloud-based SaaS app (e.g., Google Workspace, Salesforce). Helps differentiate install-based from web-based tools. |
| Security Risk Level | Optional internal assessment (e.g., Low, Medium, High) based on the software’s permissions, connectivity, or past vulnerabilities. |
| Automatic Updates Enabled? | Whether the software automatically checks for and installs updates (Yes/No). |
| Administrator Rights Required? | Whether elevated privileges are needed to install, run, or update the software (Yes/No). |